Can't seem to get concurrent session handling to work properly. Granted that IE8 shares the same session ID between all browser windows, tabs, etc., One would "assume" that if the File -> New Session button of IE8 were used to create a new session, the concurrent session handling filter would notice the two active sessions for the same user and return the expired-url page.

Other than implementing the <session-management> element:
Code:
<session-management>
     <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login.jsp?expired=true" />
</session-management>
and adding the HttpSessionEventPublisher to the web.xml:

Code:
<listener>
     <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

What could cause ConcurrentSessionHandling to fail?